AMITIAE - Thursday 9 January 2014

Cassandra: Brazil - Where the Phish Come From - Identifying Sources using Mail and Network Utility

apple and chopsticks


By Graham K. Rogers


Early yesterday I received a number of emails that - as ever - looked genuine enough, but supposedly came from a bank I had no business with (Wells Fargo). Each had an attachment that pretended to be a PDF file containing valuable information, but was actually an .EXE file: malware for sure.

It is fairly early in the new year, but this seems to be the beginning of a new phishing season. This morning, there were three emails allegedly from Quicken: makers of well-known accounting software. Each also had the PDF-like attachment with the malicious secret inside. Each message was carrying the same file (identical file name) with that tell-tale extension.

Network Utility As I mentioned yesterday, I use that BetterZip Quick Look Generator which adds the ability to examine the contents of a zip file using the Finder QuickLook feature. I highlight the file in the email and press the spacebar.

I also looked at the raw source of the email message each of which had come from "" which looks genuine enough (a search with Google showed that the URL of Quicken is

To see that raw information, use the View menu in Mail and then Message > Raw source, or the key commands Option + Command + U. There were also sender details with a .br suffix - Brazil, which according to a line in the comedy play, Charlie's Aunt, is "where the nuts come from".

Network Utility

A bit more information was available in the IP numbers in the raw source, so I used the Network Utility App. There are a number of options, but often the quickest is the Lookup panel. This confirmed that the source really was Brazil. I tried to add to the information using Whois via but the links to Latin America were too slow. I tried this several times.

Traceroute was a bit better - there is a definite lag as True tries to connect with the outside world - and once again, via Singapore, we were connected to Brazil.

Beware. They really are still out to get us.

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.



Made on Mac

For further information, e-mail to

information Tag information Tag

Back to eXtensions
Back to Home Page